Archive for June 11th, 2014

We recently discussed the latest attacks affecting users in Japan that were the works of the BKDR_VAWTRAK malware. This malware family combines backdoor and infostealer behaviors and had just added the banking credentials theft to its repertoire.

It was also mentioned that this malware tries to downgrade the privileges of security software, including Trend Micro products. In this post, we will add more details on how VAWTRAK performs this routine, as well as provide information on potential countermeasures.

How Software Restriction Policies Are Abused

The particular feature used by VAWTRAK to disable security software is known as Software Restriction Policies. It was first introduced in Windows® XP and Server 2003. It can be thought of as a very early form of whitelisting or blacklisting feature. Microsoft’s own documentation states that this feature was intended to perform the following:

Fight viruses

Regulate which ActiveX controls can be downloaded

Run only digitally signed scripts

Enforce that only approved software is installed on system computers

Lock down a machine

There are several methods that can be used to identify which files are blocked from running on a system. In the case of VAWTRAK, it uses the path where the applications are installed to determine if they should be blocked or not. It looks for the following directories under the %Program Files% and %All Users Profile%\Application folder, which are used by various security products:

a-squared Anti-Malware

a-squared HiJackFree

Agnitum

Alwil Software

AnVir Task Manager

ArcaBit

AVAST Software

AVG

avg8

Avira GmbH

Avira

BitDefender

BlockPost

Common Files\Doctor Web

Common Files\G DATA

Common Files\P Tools

Common Files\Symantec Shared

DefenseWall

DefenseWall HIPS

Doctor Web

DrWeb

ESET

f-secure

F-Secure\F-Secure Internet Security

FRISK Software

G DATA

K7 Computing

Kaspersky Lab Setup Files

Kaspersky Lab

Lavasoft

Malwarebytes

Malwarebytes’ Anti-Malware

McAfee

McAfee.com

Microsoft Security Client

Microsoft Security Essentials

Microsoft\Microsoft Antimalware

Norton AntiVirus

Online Solutions

P Tools Internet Security

P Tools

Panda Security

Positive Technologies

Sandboxie

Security Task Manager

Spyware Terminator

Sunbelt Software

Symantec

Trend Micro

UAenter

Vba32

Xore

Zillya Antivirus

If it finds that any of the above directories are present, it adds the following registry entries to force applications in that directory to run with restricted privileges:

As a result, any file under the said directory would not run, returning the following error message:

Figure 1. Error message

This is not the only time we have seen this tactic used, but the prominence of recent VAWTRAK attacks means there are more users affected by it than normal.

To protect our users, we not only detect and remove BKDR_VAWTRAK malware, but we also specifically detect this particular behavior to ensure that Trend Micro products are able to run and provide the necessary protection as needed. We encourage users to download and use the latest available pattern files to ensure they have the most up-to-date protection available.

Special mention to Rhena Inocencio for the malware analysis and Roddell Santos and Dexter To for the validation of this security feature.